b'                     U.S. ENVIRONMENTAL PROTECTION AGENCY\n\n                     OFFICE OF INSPECTOR GENERAL\n\n\n\n\n                     EPA Is Not Fully Aware\n                     of the Extent of Its Use of\n                     Cloud Computing\n                     Technologies\n                     Report No. 14-P-0323              July 24, 2014\n\n\n\n\nScan this mobile\ncode to learn more\nabout the EPA OIG.\n\x0cReport Contributors:                               Rudolph M. Brevard\n                                                   Charles M. Dade\n                                                   Albert E. Schmidt\n\nAbbreviations\n3PAO          Third-Party Assessment Organization\nBPA           Blanket Purchase Agreement\nCFR           Code of Federal Regulations\nCIGIE         Council of Inspectors General on Integrity and Efficiency\nCIO           Chief Information Officer\nCO            Contracting Officer\nCSP           Cloud Service Provider\neNOI          Electronic Notice of Intent\nEPA           U.S. Environmental Protection Agency\nFAR           Federal Acquisition Regulation\nFedRAMP       Federal Risk and Authorization Management Program\nFY            Fiscal Year\nGSA           General Services Administration\nIM/IT         Information Management/Information Technology\nIT            Information Technology\nN/A           Not applicable\nNCC           National Computer Center\nNDA           Nondisclosure Agreement\nNIST          National Institute of Standards and Technology\nNOI           Notice of Intent\nOAM           Office of Acquisition Management\nOEI           Office of Environmental Information\nOIG           Office of Inspector General\nPMOS          Permit Management Oversight System\nSLA           Service Level Agreement\nSP            Special Publication\nTOS           Terms of Service\n\n\nHotline                                          Suggestions for Audits or Evaluations\nTo report fraud, waste or abuse, contact us      To make suggestions for audits or evaluations, contact\nthrough one of the following methods:            us through one of the following methods:\n\nemail:     OIG_Hotline@epa.gov                   email:    OIG_WEBCOMMENTS@epa.gov\nphone:     1-888-546-8740                        phone:    1-202-566-2391\nfax:       1-202-566-2599                        fax:      1-202-566-2599\nonline:    http://www.epa.gov/oig/hotline.htm    online:   http://www.epa.gov/oig/contact.html#Full_Info\n\nwrite:     EPA Inspector General Hotline         write:    EPA Inspector General\n           1200 Pennsylvania Avenue, NW                    1200 Pennsylvania Avenue, NW\n           Mailcode 2431T                                  Mailcode 2410T\n           Washington, DC 20460                            Washington, DC 20460\n\x0c                        U.S. Environmental Protection Agency                                                  14-P-0323\n                                                                                                           July 24, 2014\n                        Office of Inspector General\n\n\n                        At a Glance\nWhy We Did This Review\n                                    EPA Is Not Fully Aware of the Extent of Its Use\nThe U.S. Environmental              of Cloud Computing Technologies\nProtection Agency (EPA),\nOffice of Inspector General\n                                     What We Found\n(OIG), conducted this audit to\nevaluate select agency efforts      The CIGIE developed a survey and asked its members\nto adopt cloud computing                                                                         EPA officials lack\n                                    to contact their respective agencies and collect             confidence that\ntechnologies and to review          information about the deployment of cloud computing          offices recognize\nexecuted contracts between          technologies. Additionally, CIGIE provided a matrix          its full use of cloud\nthe agency and cloud service        template for each Inspector General to complete to           computing for\nproviders for compliance with       standardize the results of the CIGIE collaboration effort,   agency operations.\napplicable standards. This audit    and to assist with the completion of the consolidated\nwas conducted as part of a          report. In consultation with the CIGIE, the EPA OIG selected one system to\ngovernmentwide initiative by        review and completed the provided matrix with test results.\nthe Council of the Inspectors\nGeneral on Integrity and            The EPA OIG selected the current contract for the Office of Water\xe2\x80\x99s Permit\nEfficiency (CIGIE). Information     Management Oversight System (PMOS) for testing. In 2012, the Office of Water\ngathered during the subject         used the Office of Acquisition Management to contract for a vendor to maintain\naudit will be incorporated into a   and host the PMOS application. Although the PMOS was not included in the\ngovernmentwide report to be         EPA\xe2\x80\x99s response document to the CIGIE survey, the PMOS is currently hosted by\nreleased by CIGIE.                  an EPA subcontractor whose hosting environment has cloud characteristics. The\n                                    subcontractor\xe2\x80\x99s hosting environment also appeared to meet the definition of a\nThe report addresses                \xe2\x80\x9ccloud,\xe2\x80\x9d as defined by the National Institute of Standards and Technology (NIST)\nthe following EPA goal              Special Publication 800-145, The NIST Definition of Cloud Computing.\nor cross-agency strategy:\n                                    The PMOS enables the EPA to track general and tribal permits at a summary\n \xef\x82\xb7 Embracing EPA as a high-         level. The PMOS captures limited information on these permits, which enables\n   performing organization.         the EPA to track the universe and status of these permits. The PMOS is used to\n                                    prepare National Pollutant Discharge Elimination System reports for the Office of\n                                    Management and Budget.\n\n                                    Our audit work disclosed management oversight concerns regarding the EPA\xe2\x80\x99s\n                                    use of cloud computing technologies. These concerns highlight the need for the\n                                    EPA to strengthen its catalog of cloud vendors and processes to manage vendor\n                                    relationships to ensure compliance with federal security requirements. In\n                                    particular:\n\n                                       \xef\x82\xb7 The EPA did not know when its offices were using cloud computing.\n                                       \xef\x82\xb7 The EPA should improve the oversight process for prime contractors\n                                         (to include ensuring subcontractors comply with federal security\nFor further information,                 requirements and establishing service-level agreements for cloud services).\ncontact our public affairs office      \xef\x82\xb7 There is no assurance that the EPA has access to the subcontractor\xe2\x80\x99s\nat (202) 566-2391.                       cloud environment for audit and investigative purposes.\n                                       \xef\x82\xb7 The subcontractor is not compliant with the Federal Risk and Authorization\nThe full report is at:\n                                         Management Program.\nwww.epa.gov/oig/reports/2014/\n20140724-14-P-0323.pdf\n                                    The EPA indicated the provided matrix is factually correct. The EPA response\n                                    and our comments are at appendix B.\n\x0c                         UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                      WASHINGTON, D.C. 20460\n\n                                                                                       THE INSPECTOR GENERAL\n\n\n\n\n                                              July 24, 2014\n\nMEMORANDUM\n\nSUBJECT:       EPA Is Not Fully Aware of the Extent of Its Use of Cloud Computing Technologies\n               Report No. 14-P-0323\n\nFROM:          Arthur A. Elkins Jr.\n\nTO:            Rod DeSmet\n               Deputy Assistant Inspector General for Audit\n               Office of Inspector General (USDA)\n               CIGIE Cloud Computing Consolidated Report Lead\n\nAttached please find the results of the subject audit. We performed this audit in accordance with\ngenerally accepted government auditing standards. Those standards require the team to plan and perform\nthe audit to obtain sufficient and appropriate evidence to provide a reasonable basis for the findings and\nconclusions based on the objectives of the audit.\n\nWe believe the evidence obtained provides a reasonable basis for our findings and conclusions and, in\nall material respects, meets the reporting requirements prescribed by Council of the Inspectors General\non Integrity and Efficiency (CIGIE). In accordance with CIGIE reporting instructions, we are\nforwarding this report to you.\n\nWe briefed agency officials on the results of our audit work and, where appropriate, made an\nadjustments. The results have been verified for accuracy in accordance with our internal quality control\nprocess. As part of our process, we were unable to identify a complete audit universe via data call. Of\nthe known cloud systems, we selected the EPA Office of Water\xe2\x80\x99s Permit Management Oversight System\nApplication using non-statistical sampling.\n\nPrior to starting work on this audit, we were in the process of performing a cloud audit related to two of\nthe EPA\xe2\x80\x99s cloud initiatives. During that separate audit, we collected information that made us aware of\ntwo cloud initiatives within other program offices. Since we selected two cloud initiatives from the\nEPA Office of Environmental Information during the other audit, we selected one of the initiatives from\na different program office to not overburden the EPA Office of Environmental Information.\n\nThe EPA offices having primary responsibility for the issues evaluated in the report are the Office of\nWater and Office of Administration and Resources Management\xe2\x80\x99s Office of Acquisition Management.\n\nWe will post this report to our website at http://www.epa.gov/oig.\n\x0cEPA Is Not Fully Aware of the Extent of                                                                                  14-P-0323\nIts Use of Cloud Computing Technologies\n\n\n\n\n                                  Table of Contents\n   Overview of the CIGIE Cloud Computing Collaboration Results Matrix................                                          1\n\n        Step 1: Cloud Computing Data Call ...................................................................                  3\n        Step 2: Inventory of Cloud Services and Service Providers ...............................                              4\n        Step 3: Roles and Responsibilities Defined in Contracts ....................................                           5\n        Step 4: Service Level Agreements in Contracts .................................................                        8\n        Step 5: Access to CSP for Audit and Investigative Purposes .............................                               11\n        Step 6: Review of the Agency\xe2\x80\x99s Process for Monitoring Its\n                Cloud Computing Provider .....................................................................                 15\n        Step 7: Enterprise Management of Cloud Service Providers ..............................                                16\n        Step 8: FedRAMP Compliance ..........................................................................                  18\n\n\n\n Appendices\n   A    CIGIE Cloud Computing Survey Returned by the EPA ..................................                                    22\n\n   B    Joint Office of Administration and Resources Management and\n        Office of Water Responses to the Draft Report and OIG Comments ............                                            27\n\n   C    Distribution .......................................................................................................   29\n\x0c                             Overview of the CIGIE Cloud Computing Collaboration Results Matrix\n\n Purpose         The purpose of the matrix is to standardize the results of the Council of Inspectors General on Integrity and\n                 Efficiency (CIGIE) collaboration effort to assist with the completion of the consolidated report.\n\n Instructions    Provide responses to the questions in the matrix. Complete one matrix per system tested. You should design your\n                 testing to address the questions specified within each step. Each step has its own tab within the matrix. The response\n                 options include Yes, No, or N/A and are available in a drop-down list within the cell. If more than a Yes, No, or N/A\n                 is necessary for the question, we have included instructions to place the specific information in the "IG Comments"\n                 field. Additionally, please feel free to include any additional comments that are warranted.\n\n Criteria        When possible, we have included references to criteria for the applicable steps.\n\n Modifications If during the course of completing the matrix, the auditor identifies a potential improvement to the matrix, please\n               notify the following individual for requested modifications:\n               Corey Bidne, Senior Auditor, USDA-OIG\n               corey.bidne@oig.usda.gov\n               816.823.3884\n\n\n\n                                                     Agency Point of Contact\n                                         (Complete for the Individual in charge of testing)\n Name            Rudolph M. Brevard\n Department      Office of the Inspector General (OIG)\n Agency          Environmental Protection Agency (EPA)\n Phone           (202) 566-0893\n Email           brevard.rudy@epa.gov\n\n\n\n\n14-P-0323\n\n                                                                                                                                     1\n\x0c The matrix is divided into tabs based on the following sections. You should design your testing to address the questions\n specified within each tab.\n Step 1          Cloud Data Call\n Step 2          Cloud System Inventory\n Step 3          Cloud Service Agreements (TOS, NDAs)\n Step 4          Cloud Service Level Agreements\n Step 5          Cloud Service Access\n Step 6          Cloud Service Provider Monitoring\n Step 7          Cloud Service Central Management\n Step 8          FedRAMP Compliance Progress\n\n\n\n\n14-P-0323\n\n                                                                                                                            2\n\x0c Procedure Step:          1. Cloud Computing Data Call\n                          Request data on agency cloud computing practices for the review of the agency\xe2\x80\x99s cloud computing\n Purpose:\n                          technologies.\n                          Submit the CIGIE Cloud Computing Survey to the agency and request data on current fiscal year (FY 2014)\n Scope/Methodology:\n                          cloud computing systems for the review of the agency\xe2\x80\x99s cloud computing technologies.\n\n\n Agency:                  EPA\n System:\n\n Prepared By:             Albert E. Schmidt\n Reviewed By:             Charles M. Dade\n\nAudit       Question to Address               Response                IG Comments                        Agency Response\nStep #\n 1.1   Date the agency\xe2\x80\x99s inspector      February 19, 2014                 N/A\n       general contact received the\n       completed CIGIE Cloud\n       Computing Survey from the\n       agency ? (mm/dd/yyyy)\n 1.2   If the agency did not return a N/A\xe2\x80\x94The agency                      N/A\n       completed survey - please        returned the survey.\n       provide a reason why in the\n       response field. (i.e., agency\n       was not able to provide\n       because it did not have any\n       cloud systems in its inventory.)\n\n\n\n\n14-P-0323\n\n                                                                                                                               3\n\x0c Procedure Step:              2. Inventory of Cloud Services and Service Providers\n                              Determine the agency\xe2\x80\x99s enterprise-wide inventory of cloud IT services and service providers, and select a\n Purpose:\n                              sample of providers to evaluate\n Source:                      Compile the results of questionnaires sent to the department/agency Chief Information Officers (CIOs).\n\n                              Determine the department/agency\xe2\x80\x99s enterprise-wide inventory of cloud IT services and service providers as of\n Scope/Methodology:\n                              the survey date (FY 2014) and select a sample of providers for evaluation.\n\n Prepared By:                 Albert E. Schmidt\n Reviewed By:                 Charles M. Dade\n\nAudit     Question to Address            Response                                            IG Comments\nStep #\n 2.1   How many total cloud IT              11      The auditor lacks confidence there were 11 cloud IT services as identified in the completed\n       services were identified                     cloud survey. Specifically, the Office of Acquisition Management (OAM) indicated that the Cloud\n       from the survey (list                        Survey was completed by performing a search for the word \xe2\x80\x9ccloud\xe2\x80\x9d in the procurement\n       numerical value of                           description. As a result, the auditor concludes that regardless of whether a contract was a cloud\n       services in response                         contract, the contract would only be included on the list if the term \xe2\x80\x9ccloud\xe2\x80\x9d appeared in the\n       field, limited                               description of the procurement. During the audit, the auditor became aware of one application\n       to 2 digits)                                 incorrectly listed as a cloud application and two applications that appear to be cloud\n                                                    applications not included in the survey results. The OAM said it has no database that\n                                                    specifically identifies \xe2\x80\x9ccloud\xe2\x80\x9d procurements.\n\n\n\n 2.2    How many unique cloud               10\n        service providers were\n        identified from the survey\n        (list numerical value of\n        services in response\n        field, limited to two digits).\n\n\n\n\n14-P-0323\n\n                                                                                                                                                4\n\x0cProcedure Step:         3. Roles and Responsibilities Defined in Contracts\n                        Determine if the agency\xe2\x80\x99s contracts with cloud service providers clearly define the roles and responsibilities of\nPurpose:\n                        the agency, the Cloud Service Provider (CSP) and, if applicable, system integrators.\n\n                        Review selected contracts that have been executed between the agency and the CSP/Reseller and determine\nScope/Methodology:\n                        whether the contract contains clearly defined roles for the agency, the CSP and any system integrators\n                        If the contract was procured through the General Services Administration (GSA) IT 70 Federal Supply\n                        Schedule (FSS), a GSA blanket purchase agreement (BPA), or a shared service BPA, when reviewing the\nNote:                   contract, be sure to include the original contract and solicitation documentation that was agreed to by GSA or\n                        the BPA originating agency in your review to ensure all contract documentation is reviewed prior to making a\n                        determination on the results of your audit testing.\n                        A supplemental guide was created to assist the auditor with identifying the additional terms, conditions, and\nSupplement:\n                        clauses. The guide is titled \xe2\x80\x9cCIGIE Audit Results Matrix Supplement-IT 70 Schedule Clauses.docx.\xe2\x80\x9d\n\n\nPrepared By:            Albert E. Schmidt\nReviewed By:            Charles M. Dade\n\n Audit    Question to Address Response                                            IG Comments\n Step #\n  3.1   Did the Cloud contract   No    The contract indicates the primary contractor will host the Permit Management Oversight System\n        include Terms of Service       (PMOS) application and will follow the EPA\xe2\x80\x99s policies and procedures; however, there are no\n        (TOS) clauses? (Cloud          specific Terms of Service (TOS) clauses related to the hosting of the PMOS application (We\n        Best Practices Bookmark        reviewed the contract, amendment, and task orders). Additionally, the EPA has not agreed to\n        5)                             terms of service outside of the contract. On April 30, 2014, the EPA said the primary contractor\n                                       agreed to the service agreement of the subcontractor responsible for hosting the PMOS and\n                                       provided a link to the service agreement that included the following disclaimer:\n\n                                             \xe2\x80\x9cYou acknowledge and agree that your use of the services is solely at your own risk, and that\n                                             except as expressly provided herein the services are provided on an \xe2\x80\x98as is\xe2\x80\x99 and \xe2\x80\x98as available\xe2\x80\x99\n                                             basis. [The subcontractor hosting the PMOS application] expressly disclaims any and all\n                                             warranties and conditions of any kind, express, implied, or statutory, including, without limitation,\n                                             the implied warranties of title, noninfringement, merchantability, and fitness for a particular purpose\n                                             and any warranties arising from a course of dealing, usage or trade practice.\n\n\n14-P-0323\n\n                                                                                                                                                5\n\x0c                                         Furthermore, [the subcontractor hosting the PMOS application] does not warrant that the services\n                                         and/or any information obtained thereby shall be complete, accurate, uninterrupted, secure or error\n                                         free. [The subcontractor hosting the PMOS application] further makes no warranty that the services\n                                         will meet your requirements, nor does [the subcontractor hosting the PMOS application] make any\n                                         warranty as to the results that may be obtained from the use of the services.\xe2\x80\x9d\n 3.1a   If not, did the             No   The EPA has not agreed to TOS outside of the contract.\n        department/agency sign\n        a TOS agreement with\n        the cloud service\n        provider?\n  3.2   If the TOS clauses were     No   There were no TOS agreed to within or outside the contract related to the hosting of the PMOS\n        not directly within the          application between the EPA and the primary vendor; however, as identified in audit step 3.1, the\n        contract, but referenced         prime contractor did accept the TOS with the subcontractor. The contracting officer said they only\n        within the contract, were        became aware of the subcontractor as a result of audit inquiries.\n        the TOS clauses\n        negotiated and agreed to\n        prior the contract being\n        awarded? (Cloud Best\n        Practices Bookmark 1)\n  3.3   Is there a                  No   There are no TOS between the EPA and the primary contractor related to hosting the PMOS\n        departmental/agency              application.\n        official assigned to\n        monitor the cloud service\n        providers compliance\n        with the TSO?\n  3.4   Is there a                  No   There are no TOS between the EPA and the primary contractor related to hosting the PMOS\n        departmental/agency              application.\n        official assigned to\n        monitor the agency\'s\n        compliance with the\n        TOS?\n  3.5   Do the TSO clauses or       No   There are no TOS between the EPA and the primary contractor related to hosting the PMOS\n        the cloud contract               application.\n        address timeframes that\n        the CSP will need to\n        follow in order to comply\n        with federal agency rules\n        and regulations? (Cloud\n\n14-P-0323\n\n                                                                                                                                        6\n\x0c        Best Practices Bookmark\n        2)\n  3.6   Did the cloud service        No   The cloud service provider (CSP), a subcontractor, did not sign a nondisclosure agreement (NDA),\n        provider sign a                   but instead only had a service agreement with the primary contractor. This service agreement\n        nondisclosure agreement           contains a warranty disclaimer that states:\n        (NDA) with the\n        department/agency in              [The sub-contractor hosting the PMOS application] \xe2\x80\x9cdoes not warrant that the services and/or any\n        order to protect non-             information obtained thereby shall be complete, accurate, uninterrupted, secure or error free.\xe2\x80\x9d\n        public information that is\n        procurement-sensitive, or         Since the prime contractor accepted the terms of the CSP, there is no NDA between the EPA and\n        affects pre-decisional            the CSP.\n        policy, physical security,\n        or other information\n        deemed important to\n        protect? ( Cloud Best\n        Practices Bookmark 3)\n 3.6a   If so, does the NDA          No   The EPA does not have an NDA established for the CSP; therefore, no rules of behavior were\n        establish rules of                established for the CSP associated with a nondisclosure agreement. Although no nondisclosure\n        behavior for the CSP and          agreement or associated rules of behavior exist for the CSP (a subcontractor), the blanket\n        a method to monitor end-          purchase agreement (BPA or contract) established rules of behavior for the primary contractor.\n        users activities in the           However, we reviewed and determined that the PMOS BPA, related task orders, and modifications\n        cloud environment?                did not provide a method to monitor end-user activities.\n        (Cloud Best Practices\n        Bookmark 4)\n 3.6b   If so, is there a            No   The EPA does not have an official assigned to monitor CSP compliance with the NDA. The\n        departmental/agency               contracting officer said they are unaware of an official assigned to monitor CSP compliance with\n        official assigned to              the NDA.\n        monitor the cloud service\n        providers compliance\n        with the NDA?\n\n\n\n\n14-P-0323\n\n                                                                                                                                         7\n\x0c Procedure Step:         4. Service Level Agreements in Contracts\n                         Determine if the agency\xe2\x80\x99s contracts with cloud service providers contain service level agreements (SLAs) that\n Purpose:                define performance with clear terms and definitions, demonstrate how performance is being measured, and\n                         what enforcement mechanisms are in place to ensure SLAs are met;\n\n                    Review service level agreements with cloud providers and determine whether the SLA:\n                    1. Defines performance with clear terms and definitions (uptimes, etc.)\n Scope/Methodology:\n                    2. Demonstrates how performance is being measured\n                    3. Defines enforcement mechanisms when performance is not met\n                         If the contract was procured through the GSA IT 70 Federal Supply Schedule (FSS), a GSA BPA, or a shared\n                         service BPA, when reviewing the contract, be sure to include the original contract and solicitation\n Note:\n                         documentation that was agreed to by GSA or the BPA originating agency in your review to ensure all contract\n                         documentation is reviewed prior to making a determination on the results of your audit testing.\n\n\n                         A supplemental guide was created to assist the auditor with identifying the additional terms, conditions, and\n Supplement:\n                         clauses. The guide is titled \xe2\x80\x9cCIGIE Audit Results Matrix Supplement-IT 70 Schedule Clauses.docx.\xe2\x80\x9d\n\n\n\n Prepared By:            Albert E. Schmidt\n Reviewed By:            Charles M. Dade\n\nAudit      Question to Address            Response                                           IG Comments\nStep #\n 4.1   Does the agency have an                No          The EPA does not have an SLA. The EPA does have performance work statements\n       executed service level                             (specified in the BPA), which provide the scope of work for the PMOS. Task orders\n       agreement (SLA) with the                           have Performance Standards and Quality Assurance Surveillance Plans. However,\n       CSP, either as part of the                         neither the performance work statements, nor the task orders that have Performance\n       contract, or as a stand-alone                      Standards and Quality Assurance Surveillance Plans, provided detailed service\n       document?                                          levels for contractors to uphold with regard to hosting the PMOS application. These\n                                                          documents only state the vendor is to host the application but do not specify any\n                                                          service levels for contractors to uphold with regard to hosting. Additionally, as noted\n\n\n\n14-P-0323\n\n                                                                                                                                           8\n\x0c                                               in audit step 3.1, the prime contractor agreed to the subcontractor\xe2\x80\x99s service\n                                               agreement that contained a disclaimer on any and all warranties.\n  4.2   Does the executed SLA for the    No    The auditor reviewed and concluded that there are no SLAs that specify required\n        cloud service specify required         uptime percentages for the PMOS in the EPA\xe2\x80\x99s performance work statements\n        uptime percentages?(NIST SP            specified in the BPA, or in the task orders that have Performance Standards and\n        800-146, 3.1)                          Quality Assurance Surveillance Plans.\n  4.3   Does the executed SLA for the    No    There are no uptime requirements for PMOS.\n        cloud service describe how\n        the uptime percentage is\n        calculated? (NIST SP 800-\n        146, 3.1)\n  4.4   Does the executed SLA detail     No    There are no uptime requirements for PMOS.\n        remedies to be paid by the\n        CSP to the agency if the\n        uptime requirements are not\n        met? (NIST SP 800-146, 3.1)\n  4.5   Has the department/agency        No    There are no uptime requirements for PMOS.\n        assigned someone to monitor\n        the actual uptime, compare it\n        to the percentage included in\n        the executed SLA, and pursue\n        service credits if applicable?\n        (NIST SP 800-146, 3.1)\n  4.6   Has the department/agency        No    There are no uptime requirements for PMOS.\n        realized any service credits\n        due to uptime failures?\n  4.7   Does the executed SLA detail     Yes   The auditor reviewed and concluded that the BPA indicates:\n        data preservation\n        responsibilities? (NIST SP               \xe2\x80\xa2   \xe2\x80\x9cOnce the prototype\xe2\x80\x99s requirements are stable, the system will be brought in\n        800-146, 3.1)                                line with EPA\xe2\x80\x99s Architecture.\xe2\x80\x9d\xe2\x80\xa6\n\n                                                 \xe2\x80\xa2   \xe2\x80\x9cUnless specified elsewhere in this contract, title to items furnished in the\n                                                     contract shall pass to the Government upon acceptance, regardless of when or\n                                                     where the Government takes possession.\xe2\x80\x9d\n\n                                               Task orders related to the PMOS indicate the contractor shall use a Microsoft\n                                               Access format to perform two backups per month of the files with priority permit\n                                               status.\n\n\n14-P-0323\n\n                                                                                                                                  9\n\x0c  4.8   Does the executed SLA            No    SLAs that address scheduled service outages are not addressed in the performance\n        address scheduled service              work statements specified in the BPA, or in the task orders that have Performance\n        outages? (NIST SP 800-146,             Standards and Quality Assurance Surveillance Plans.\n        3.2)\n  4.9   Does the executed SLA            No    There are no uptime requirements for PMOS.\n        require a service outage to be\n        announced in advance in\n        order not to be considered a\n        failure to meet uptime\n        requirements?\n 4.10   Does the executed SLA            No    The PMOS BPA (EP-BPA-12-C-0010) does contain a change clause that states:\n        address service agreement\n        changes? (NIST SP 800-146,             \xe2\x80\x9cChanges in the terms and conditions of this contract may be made only by written\n        3.2)                                   agreement of the parties.\xe2\x80\x9d\n\n                                               However, the service agreement between the prime contractor and the\n                                               subcontractor hosting the application indicates the cloud service provider can make\n                                               unilateral changes to the terms of the service agreement by posting to its website.\n 4.11   If the CSP reserves the right    Yes   The PMOS BPA (EP-BPA-12-C-0010) contains a change clause that states:\n        to modify the terms of the\n        service agreement at any               \xe2\x80\x9cChanges in the terms and conditions of this contract may be made only by written\n        time, does the executed SLA            agreement of the parties;\xe2\x80\x9d\n        require the CSP to provide\n        notice of the changes to the           However, unbeknownst to EPA, the service agreement between the prime contractor\n        agency?                                and the subcontractor hosting the application indicates the cloud service provider\n                                               can make unilateral changes to the terms of the service agreement by posting to the\n                                               subcontractor\xe2\x80\x99s website.\n\n\n\n\n14-P-0323\n\n                                                                                                                             10\n\x0cProcedure Step:        5. Access to CSP for Audit and Investigative Purposes\n                       Determine if contracts with cloud service providers (CSPs) contain recommended language for allowing\nPurpose:\n                       agency personnel access to CSP facilities to perform audit and investigative activities as needed.\n                   Review selected contracts with CSPs and determine whether they contain the recommended Federal\nScope/Methodology: Acquisition Regulation (FAR) clauses for access to CSP facilities and specific details addressing investigative,\n                   forensic and audit access.\n\n                       If the contract was procured through the GSA IT 70 Federal Supply Schedule (FSS), a GSA BPA, or a shared\n                       service BPA, when reviewing the contract, be sure to include the original contract and solicitation\nNote:\n                       documentation that was agreed to by GSA or the BPA originating agency in your review to ensure all contract\n                       documentation is reviewed prior to making a determination on the results of your audit testing.\n\n                       A supplemental guide was created to assist the auditor with identifying the additional terms, conditions and\nSupplement:\n                       clauses. The guide is titled \xe2\x80\x9cCIGIE Audit Results Matrix Supplement-IT 70 Schedule Clauses.docx.\xe2\x80\x9d\n\n\nPrepared By:            Albert E. Schmidt\nReviewed By:            Charles M. Dade\n\nCriteria:\n                       (b) To the extent required to carry out a program of inspection to safeguard against threats and hazards to the\n                       security, integrity, and confidentiality of Government data, the Contractor shall afford the Government access\nFAR 52.239-1(b)\n                       to the Contractor\xe2\x80\x99s facilities, installations, technical capabilities, operations, documentation, records, and\n                       databases.\n\n                    \xe2\x80\x9cFull cooperation\xe2\x80\x9d\xe2\x80\x94 (1) Means disclosure to the Government of the information sufficient for law\n                    enforcement to identify the nature and extent of the offense and the individuals responsible for the conduct. It\nFAR 52.203-13(a)(1)\n                    includes providing timely and complete response to Government auditors\xe2\x80\x99 and investigators\' request for\n                    documents and access to employees with information;\n\n\n\n14-P-0323\n\n                                                                                                                                  11\n\x0c                         General. (1) The Comptroller General of the United States, an appropriate Inspector General appointed under\n                         section 3 or 8G of the Inspector General Act of 1978 (5 U.S.C. App.), or an authorized representative of either\nFAR 52.215-2 (d)(1)      of the foregoing officials, shall haveaccess to and the right to\xe2\x80\x94 (i) Examine any of the Contractor\xe2\x80\x99s or any\n                         subcontractor\xe2\x80\x99s records that pertain to and involve transactions relating to this contract or a subcontract\n                         hereunder; and (ii) Interview any officer or employee regarding such transactions.\n\nCloud Best\n                         https://cio.gov/wp-content/uploads/downloads/2012/09/cloudbestpractices.pdf\nPractices:\n                         The Cloud Best Practices is a joint publication between the CIO Council and the Chief Acquisition Officers\n                         Council - we have included these benchmarks for cloud contracts within our testing because the paper was\n                         created with the intention of being "the next step in providing Federal agencies more specific guidance in\n                         effectively implementing the \xe2\x80\x9cCloud First\xe2\x80\x9d policy and moving forward with the \xe2\x80\x9cFederal Cloud Computing\n                         Strategy\xe2\x80\x9d by focusing on ways to more effectively procure cloud services within existing regulations and\n                         laws.\xe2\x80\x9d\n\nAudit       Question to Address            Response                                        IG Comments\nStep #\n 5.1   Does the cloud contract,               Yes         The contract between the prime contractor and the EPA contains the FAR\n       service level agreement                            clause 52.239-1 [48 CFR 52.239-1] via the applicable GSA Federal Supply\n       (SLA), or Terms of Service                         Schedule Contract. However, the prime contractor agreed to the service\n       (TOS) agreement, contain                           agreement of the subcontractor hosting the application, and this agreement does\n       FAR clause 52.239-1, allowing                      not contain the FAR clause 52.239-1. The agreement contains language that\n       the agency access to the                           would prevent the prime contractor from imposing clauses found in the EPA\xe2\x80\x99s\n       CSP\xe2\x80\x99s facilities, installations,                   contract with the prime contractor on the subcontractor.\n       technical capabilities,\n       operations, documentation,\n       records, and databases?\n 5.2   Does the cloud contract, SLA,          No          For the PMOS BPA, task orders, and modifications, the PMOS contract did not\n       or TOS allow agencies to                           contain language that allows the EPA to conduct forensic investigations for both\n       conduct forensic investigations                    criminal and non-criminal purposes without interference from the CSP.\n       for both criminal and non-\n       criminal purposes without\n       affecting data integrity and\n       without interference from the\n\n14-P-0323\n\n                                                                                                                                        12\n\x0c        CSP? (Cloud Best Practices,\n        Pg. 15, Forensics)\n  5.3   Does the cloud contract, SLA,    No    For the PMOS BPA, task orders, and modifications, the PMOS contract, SLA, or\n        or TOS allow the CSP to only           TOS did not contain language to restrict the CSP to only making changes to the\n        make changes to the cloud              cloud environment under specific standard operating procedures agreed to by\n        environment under specific             the CSP and the EPA in the contract.\n        standard operating procedures\n        agreed to by the CSP and the\n        federal agency in the\n        contract? (Cloud Best\n        Practices, Pg. 15, Forensics)\n  5.4   Does the cloud contract, SLA,    Yes   The contract between the prime contractor and the EPA contains the FAR\n        or TOS include FAR clause              clause 52.203-13 [48 CFR 52.203-13] via the applicable GSA Federal Supply\n        52.203-13, requiring                   Schedule Contract. However, the prime contractor agreed to the service\n        contractors fully cooperate by         agreement of the subcontractor hosting the application and this agreement does\n        disclosing sufficient                  not contain the FAR clause 52.203-13. The agreement contains language that\n        information for law                    would prevent the prime contractor from imposing clauses found in the EPA\xe2\x80\x99s\n        enforcement to identify the            contract with the prime contractor on the subcontractor.\n        nature and extent of the\n        offense as well as providing\n        timely response to\n        government auditor and\n        investigator requests for\n        documents and access to\n        employees with information?\n        (FAR 52.203-13 (a)(1))\n  5.5   Does the cloud contract, SLA,    No    For the PMOS BPA, task orders, and modifications, the PMOS contract did not\n        or TOS address procedures              contain language to address procedures for electronic discovery when\n        for electronic discovery when          conducting a criminal investigation.\n        conducting a criminal\n        investigation?\n  5.6   Does the cloud contract,         No    For the PMOS BPA, task orders, and modifications, the contract between the\n        service level agreement                prime contractor and the EPA does not contain FAR clause 52.215-2 [48 CFR\n        (SLA), or Terms of Service             52.215-2].\n        (TOS) agreement, contain\n        FAR clause 52.215-2, granting\n        the Inspector General access\n        to: (i) Examine any of the\n        contractor\xe2\x80\x99s or any\n\n14-P-0323\n\n                                                                                                                            13\n\x0c        subcontractor\xe2\x80\x99s records that\n        pertain to and involve\n        transactions relating to this\n        contract or a subcontract\n        hereunder; and (ii) Interview\n        any officer or employee\n        regarding such transactions?\n  5.7   Does the cloud contract, SLA,     No   For the PMOS BPA, task orders, and modifications, the PMOS contract, SLA, or\n        or TOS include language                TOS did not include language that allows the Office of Inspector General full and\n        allowing the Office of                 free access to contractor and subcontractor facilities, installations, operations,\n        Inspector General full and free        documentation, databases, and personnel used in performance of the contract in\n        access to the contractor\xe2\x80\x99s (and        order to conduct audits, inspections, investigations or other reviews.\n        subcontractor\'s) facilities,\n        installations, operations,\n        documentation, databases,\n        and personnel used in\n        performance of the contract in\n        order to conduct audits,\n        inspections, investigations, or\n        other reviews?\n\n\n\n\n14-P-0323\n\n                                                                                                                              14\n\x0cProcedure Step:            6. Review the Agency\xe2\x80\x99s Process for Monitoring Its Cloud Computing Provider\n                           Determine whether the agency monitors its cloud computing providers (and if applicable integrators)\nPurpose:\n                           to ensure they meet service level obligations.\n\n                   Review the cloud service documentation for the selected contracts, conduct interviews with applicable\n                   personnel and compare with recommended best practices for contract and service level agreement monitoring\nScope/Methodology:\n                   to determine whether the agency has a process in place to effectively manage its cloud computing providers\n                   to ensure they meet their contractual obligations.\n\nPrepared By:               Albert E. Schmidt\nReviewed By:               Charles M. Dade\n\nAudit      Question to Address          Response                                              IG Comments\nStep #\n 6.1   Has the agency designated a Yes                     The agency designated a Task Order Contract Officer Representative, who is\n       person responsible for                              responsible for monitoring the system integrator (the prime contractor) to verify that\n       monitoring the cloud service                        contractual obligations are met.\n       provider (CSP) and/or the\n       system integrator to verify that\n       contractual obligations are\n       met?\n\n\n\n\n  6.2   Does the agency monitor its       No               The agency does not have a service level agreement associated with the contract\n        cloud service provider to                          reviewed.\n        ensure its service level\n        obligations are met?\n  6.3   Does the agency monitor its       No               The agency does not have a service level agreement associated with the contract\n        system integrator, if different                    reviewed.\n        from the CSP, to ensure its\n        service level obligations are\n        met?\n\n\n14-P-0323\n\n                                                                                                                                            15\n\x0cProcedure Step:          7. Enterprise Management of Cloud Service Providers\n                         Determine if the department/agency centrally manages contracts with cloud service providers to fully\nPurpose:\n                         recognize all applicable pricing discounts.\n                         Interview applicable personnel and review applicable documentation to determine if the department/agency\nScope/Methodology:\n                         centrally manages contracts with cloud service providers to fully recognize all applicable pricing discounts.\n\n\nPrepared By:               Albert E. Schmidt\nReviewed By:               Charles M. Dade\n\nAudit        Question to Address           Response                                          IG Comments\nStep #\n  7.1  Does the department/agency              No          The EPA does not have an office or a group that centrally manages cloud service\n       have an office or group that                        contracts. Management of contracts (including cloud services) is shared between\n       centrally manages cloud                             an individual program office and the agency\xe2\x80\x99s OAM.\n       service contracts to recognize\n       applicable pricing discounts?\n 7.1a If so, was this office/group             No          Management of the procurement of contracts (including cloud services) is shared\n       utilized to procure all cloud                       between a program office and the OAM.\n       services sampled?\n  7.2  Were any pricing discounts              No          The summary price sheet for the EPA\'s BPA with the prime contractor indicates the\n       realized on the cloud services                      base year\xe2\x80\x99s quoted rates are from the prime contractor\xe2\x80\x99s GSA contract. Additionally,\n       procured?                                           there is a 3 percent annual escalation for the option years, because the prime\n                                                           contractor had to estimate what the actual GSA rates would be for the years\n                                                           beyond the base year, and because the prime contractor\xe2\x80\x99s GSA contract specifies\n                                                           that escalation is based on the Department of Labor\xe2\x80\x99s employment cost index.\n 7.2a   If so, document the amount of          N/A\n        savings into the response\n        field.\n  7.3   Was a blanket purchase                 Yes         There was a BPA used to procure this cloud service. The BPA was for technical\n        agreement (BPA) used to                            support services, not cloud services. There is no use of cloud services in the BPA.\n        procure this cloud service?                        A subcontractor was providing cloud services.\n  7.4   Was a GSA cloud BPA used               No          Although the EPA said GSA schedule holders were solicited for cloud service, the\n        to procure this cloud service?                     BPA was for technical support services and not cloud services. A subcontractor\n                                                           was providing cloud services.\n\n\n\n14-P-0323\n\n                                                                                                                                          16\n\x0c  7.5   Was the GSA IT 70 Federal        No    Although EPA indicated that GSA schedule holders were solicited for the EPA\'s\n        Supply Schedule (FSS) used             BPA for the PMOS contract; the GSA IT 70 Federal Supply Schedule was not used\n        to procure this cloud service?         to procure the PMOS cloud service. Additionally, the Subcontractor that was\n                                               providing the cloud service, was not included on the GSA schedules.\n  7.6   Was a cost savings analysis      No    There was no cost savings analysis done.\n        performed on the use of the\n        cloud service?\n 7.6a   If so, document the amount of    N/A   Since there was not a cost savings analysis done, there are no identified savings to\n        savings identified into the            document\n        response field.\n\n\n\n\n14-P-0323\n\n                                                                                                                              17\n\x0cProcedure Step:              8. FedRAMP Compliance\n                             Determine the progress of the cloud service and cloud service provider (CSP) in obtaining FedRAMP\nPurpose:\n                             compliance for the system/service implemented.\n                             Verification with FedRAMP portals, cloud service document review, and interviews with applicable\nSource:\n                             personnel.\nScope/Methodology:           For the cloud services selected, review evidence of FedRAMP compliance submitted by the agency.\n\n\nPrepared By:         Albert E. Schmidt\nReviewed By:         Charles M. Dade\n\nCriteria:\nFedRAMP Reference Guide: http://www.gsa.gov/portal/mediaId/170599/fileName/Guide_to_Understanding_FedRAMP_042213\nFedRAMP Compliance Steps: http://www.gsa.gov/portal/category/102999\nFedRAMP Compliant CSP: http://www.gsa.gov/portal/content/131931\nFedRAMP Compliant 3PAO: http://www.gsa.gov/portal/content/131991\nFedRAMP Contract Clauses: http://www.gsa.gov/graphics/staffoffices/FedRAMP_Standard_Contractual_Clauses_062712.pdf\nFedRAMP Concept of Operations: http://www.gsa.gov/portal/mediaId/154239/fileName/CONOPS_V12_072712\nFedRAMP Sec Controls Preface: http://www.gsa.gov/graphics/staffoffices/FedRAMP_Security_Controls_072912.zip\nFedRAMP Baseline Sec Controls: http://www.gsa.gov/graphics/staffoffices/FedRAMP_Security_Controls_072912.zip\n\nAudit       Question to Address          Response                                        IG Comments\nStep #\n 8.1   Is the cloud service FedRAMP No                The EPA\xe2\x80\x99s CSP was not included in the GSA\xe2\x80\x99s Federal Risk and Authorization\n       compliant?                                     Management Program (FedRAMP) listing.\n\n                                                      The OAM said the purpose of the PMOS procurement order was:\n\n                                                      \xe2\x80\x9cNot to procure Cloud services, rather the order was placed for technical support\n                                                      services in support of existing systems as follows: develop, maintain, and revise the\n                                                      eNOI and NOI Processing Systems, modify the eNOI system to accommodate new\n                                                      permits, provide regional, state, and public access to permit documents, data, and\n                                                      posting support, develop system training tools, and track permit priority and\n                                                      backlog. Per the afore-mentioned excerpt from the Performance Work Statement,\n\n14-P-0323\n\n                                                                                                                                     18\n\x0c            there is no mention of a cloud services requirement. In response to the solicitation,\n            vendors were required to offer their best technical solution for completing the above\n            tasks, and [the prime contractor] offered a technical solution that included the cloud.\n            Since the requirement was not for Cloud services, there was no reason for the\n            contract to contain terms and conditions specifically on the performance of cloud\n            services.\xe2\x80\x9d\n\n            Although, the EPA did not intend to procure a cloud service, the agency accepted a\n            contract whose technical solution included the cloud. As a result, the auditor\n            concludes that the contract should have included terms and conditions specifically\n            on the performance of cloud services for those parts of the contract hosted in the\n            cloud.\n\n            Additionally, OAM stated that \xe2\x80\x9cthe cloud services part of the technical solution was\n            performed by a subcontractor to the prime awardee.\xe2\x80\x9d As a result, the OAM believed\n            that \xe2\x80\x9cper FAR 42.505 the EPA has no privity of contract with a subcontractor.\n            Accordingly, the reason [OAM does] not \xe2\x80\x98appear to have any oversight or control\xe2\x80\x99\n            over the subcontractor\xe2\x80\x99s activities is because [OAM is] legally precluded from such\n            a relationship.\xe2\x80\x9d\n\n            The EPA\xe2\x80\x99s Required Practices Concerning Subcontracts indicates the following:\n\n            \xe2\x80\x9cBefore consenting to a subcontract, the [contracting officer] CO reviews the\n            request and supporting data and considers such factors as: technical need for\n            services, compliance with the prime contract\xe2\x80\x99s goals for subcontracting with small\n            disadvantaged business and women-owned business concerns, adequacy of\n            competition, responsibility of the proposed subcontractor, proposed type and terms\n            and conditions of the subcontract, and adequacy and reasonableness of cost or\n            price analysis performed. The project officer reviews the prime contractor\xe2\x80\x99s request\n            for subcontract consent, and provides comments to the CO on the technical need\n            and appropriateness of the supplies or services, the reasonableness of the\n            subcontract estimate in terms of level of effort, and types and quantities of\n            proposed other direct costs; location, duration, number of travelers and purpose of\n            proposed travel; skill level, labor mix, and direct labor hours to be expended; and\n            the capabilities of the proposed subcontractor.\xe2\x80\x9d\n\n            As a result, the auditor concludes that the CO should only consent to\n            subcontractors for hosting services, if the subcontractor meets the necessary\n            federal security requirement.\n\n\n14-P-0323\n\n                                                                                             19\n\x0c 8.1a   If not, has the agency or the      No    Per the CO, the EPA has not pursued any actions regarding the FedRAMP and the\n        CSP applied to FedRAMP to                subcontractor. In fact, the subcontractor is responsible for hosting the Permit\n        initiate the assessment                  Management Oversight System (PMOS) application and has a service agreement\n        review?                                  with the prime contractor, which includes a disclaimer wherein the subcontractor\n                                                 states that it \xe2\x80\x9cdoes not warrant that the services and/or any information obtained\n                                                 thereby shall be complete, accurate, uninterrupted, secure or error free.\xe2\x80\x9d\n 8.1b   If not, has the CSP           No         Per the contracting officer, the EPA has not pursued any actions regarding the\n        documented its FedRAMP                   FedRAMP and the subcontractor. In fact, the subcontractor is responsible for\n        implemented security controls            hosting the PMOS application and has a service agreement with the prime\n        in its System Security Plan?             contractor, which includes a disclaimer wherein the subcontractor states that it\n                                                 \xe2\x80\x9cdoes not warrant that the services and/or any information obtained thereby shall be\n                                                 complete, accurate, uninterrupted, secure or error free.\xe2\x80\x9d\n 8.1c   If not, has the cloud service      No    Per the contracting officer, the EPA has not pursued any actions regarding the\n        undergone an independent                 FedRAMP and the subcontractor. Additionally, a subcontractor representative said\n        assessment completed by a                the cloud service has not undergone an independent assessment by a FedRAMP-\n        FedRAMP-approved                         approved Third-Party Assessment Organization.\n        Third-Party Assessment\n        Organization (3PAO)? (Verify\n        if the vendor is included on the\n        \xe2\x80\x9cFedRAMP Compliant 3PAO\xe2\x80\x9d\n        list, included in the criteria\n        links)\n 8.1d   Specify assessment                 N/A   The EPA\xe2\x80\x99s cloud service has not undergone an independent assessment by a\n        organization in response field           FedRAMP-approved Third-Party Assessment Organization.\n  8.2   Has the cloud service provider     No    Per the contracting officer, the EPA has not pursued any actions regarding the\n        received a provisional                   FedRAMP and the subcontractor. Additionally, the subcontractor is not found on the\n        authorization from the Joint             listing of CSPs that received provisional authorization from the Joint Authorization\n        Authorization Board?                     Board.\n  8.3   Did the agency leverage, or        Yes   The EPA has a contract with a vendor for Infrastructure-as-a-Service. The vendor is\n        does it plan on leveraging, a            included on the listing of FedRAMP-compliant CSPs with a provisional authorization\n        pre-existing provisional                 to operate.\n        authorization from a\n        FedRAMP-approved CSP?\n 8.3a   If so, did the agency              Yes   The EPA issued an authorization to operate for the Infrastructure-as-a-Service\n        separately address a subset of           cloud vendor contract. The authorization to operate indicated the security\n        security controls with the CSP           authorization of the information system will remain in effect as long as the\n        that was not documented in               conditions exist as follows:\n        the Provisional Authorization            1. The vulnerabilities reported during the continuous monitoring process do not\n        originally granted by the JAB?           increase agency-level risk to levels deemed unacceptable.\n\n14-P-0323\n\n                                                                                                                               20\n\x0c            2. The system has not undergone any major changes requiring the system security\n            plan to be updated.\n            3. The system\xe2\x80\x99s owner commits to complete any plan of actions and milestone that\n            are established now or in the future to ensure the continued effectiveness of the\n            system security plan and the security controls specified.\n\n\n\n\n14-P-0323\n\n                                                                                        21\n\x0c                                                     Appendix A\n\n            CIGIE Cloud Computing Survey\n                 Returned by the EPA\n\n\n\n\n                This page intentionally left blank\n\n\n\n\n14-P-0323                                                22\n\x0c14-P-0323   23\n\x0c14-P-0323   24\n\x0c14-P-0323   25\n\x0c14-P-0323   26\n\x0c                                                                                   Appendix B\n\nJoint Office of Administration and Resources Management\n      and Office of Water Responses to Draft Report\n             and OIG Comments (June 4, 2014)\nMEMORANDUM\n\nSUBJECT:       Response to Office of Inspector General Draft Audit Report No. OA-FY14-0126\n               \xe2\x80\x9cEPA Is Not Fully Aware of Its Use of Cloud Computing Technologies\xe2\x80\x9d dated\n               July 7, 2014\n\nFROM:          Craig E. Hooks, Assistant Administrator\n               Office of Administration and Resources Management\n\n               Nancy Stoner, Acting Assistant Administrator\n               Office of Water\n\nTO:            Rudolph M. Brevard, Director\n               Information Resources Management Audits\n               Office of the Inspector General\n\nThank you for the opportunity to respond to the factual accuracy of the draft audit report \xe2\x80\x9cOffice\nof Inspector General Draft Audit Report No. OA-FY14-0126 \xe2\x80\x9cEPA Is Not Fully Aware of Its\nUse of Cloud Computing Technologies\xe2\x80\x9d dated July 7, 2014.\n\nThe EPA agrees that the OIG\xe2\x80\x99s Council on the Inspectors General on Integrity and Efficiency\nCloud Computing Collaboration Results Matrix is factually correct. However, throughout the\nfieldwork and data collection phase of the audit, the EPA was concerned with the OIG\xe2\x80\x99s narrow\napproach of evaluating EPA\xe2\x80\x99s use of cloud computing technologies.\n\nThe OIG requested that the Office of Administration and Resources Management provide data\non EPA procurements for cloud computing but the draft audit focused on only one order under a\nBlanket Purchase Agreement. The audited BPA was established to procure technical support to\ndevelop, maintain, and revise the EPA\xe2\x80\x99s Electronic Notice of Intent and Permit Management\nOversight Processing Systems, not to procure cloud services. As a result, the performance work\nstatement solicited under the BPA did not contain a cloud services requirements and was not\nconsidered a cloud contract. However, in response to the solicitation, vendors proposed their\nbest technical solutions for completing performance work statement tasks, and the awardee\noffered a technical solution that included the cloud, which was provided under a subcontract.\nBecause of the afore-mentioned circumstances surrounding this procurement, the primary order\ndid not contain cloud specific terms and conditions such as terms of service clauses and service\nlevel agreements.\n\n\n\n\n14-P-0323                                                                                       27\n\x0cIn light of advances in cloud computing and the federal security management controls the Office\nof Water will evaluate its management controls to make sure our contracts are adhering to\nfederal and EPA policies, procedures, and guidance with regards to cloud computing.\nAdditionally, OARM acknowledges responsibility for ensuring contracts awarded also contain\nthe appropriate terms and conditions, and clauses, applicable to the technical nature of the\nrequirement. OARM had advised the OIG that the Federal Procurement Data System, the\nprimary source of acquisition data government-wide, does not collect data specifically on cloud\ncomputing and therefore not be relied on for the questionnaire on this subject.\n\nPlease contact John Bashista, Director, Office of Acquisition Management, OARM, at 202-564-\n4310, or Lisa Maass, OAM Audit Follow-up Coordinator, OARM, at 202-564-2498 for\nacquisition related questions. For questions regarding the Office of Water, please contact\nThomas Dabolt, Director, IM/IT Project Management Office, OW, at 202-564-1450, or Vince\nAllen, Assistant Information Management Officer, OW, at 202-564-1675.\n\nAttachment\n\ncc:\nCharles Dade\nAlbert Schmidt\nNanci Gelb\nJohn Showman\nThomas Dabolt\nJohn Bashista\nMarilyn Ramos\nVince Allen\nBrandon McDowell\nLisa Maass\n\n\n\n  OIG Comments\n\n  During the entrance meeting, the OIG indicated that OAM should coordinate with the Office of\n  Environmental Information (OEI) in determining the population of cloud IT services. The OIG did not\n  identify any particular data system for OAM to use to identify the population of the EPA\xe2\x80\x99s cloud IT\n  services. This would be something that the agency would need to identify and track as a part of its\n  procurement process to ensure that appropriate clauses to protect the government are included\n  during the procurement process. The OIG did not rely on any database when performing the audit\n  work.\n\n  Prior to starting work on this audit, we were in the process of performing a cloud audit related to two\n  of OEI\xe2\x80\x99s cloud initiatives. During that separate audit, we collected information that made us aware of\n  two cloud initiatives within other program offices. Since we selected two cloud initiatives from OEI\n  during the other audit, we selected one of the initiatives from a different program office to not\n  overburden OEI. We selected the cloud initiative for testing as a part of this review prior to receiving\n  the completed cloud survey from the agency.\n\n\n\n\n14-P-0323                                                                                                    28\n\x0c                                                                                Appendix C\n\n\n                                     Distribution\nOffice of the Administrator\nAssistant Administrator for Administration and Resources Management\nAssistant Administrator for Water\nAssistant Administrator for Environmental Information and Chief Information Officer\nAgency Follow-Up Official (the CFO)\nAgency Follow-Up Coordinator\nGeneral Counsel\nAssociate Administrator for Congressional and Intergovernmental Relations\nAssociate Administrator for External Affairs and Environmental Education\nPrincipal Deputy Assistant Administrator for Administration and Resources Management\nPrincipal Deputy Assistant Administrator for Water\nPrincipal Deputy Assistant Administrator for Environmental Information\nAudit Follow-Up Coordinator, Office of Administration and Resources Management\nAudit Follow-Up Coordinator, Office of Water\n\n\n\n\n14-P-0323                                                                                29\n\x0c'